Wednesday, May 13, 2009

5 great Web security blogs you haven't heard of

I read a tremendous amount of online material, much of which originates from 200+ RSS feeds. Sure the well-known blogs continue to generate great timely content, but there are a few diamonds in the rough that don't get a lot of attention. They instead focus on quality rather than quantity in their postings offering a deep infosec business and technical analysis on subjects not well covered elsewhere. Figured I should share of a few of my favorites.

Boaz GelbordWith a business rather than technical tone, Boaz discusses how organizations act and react to certain events in the industry such as compliance, regulations and law. Management, spending, and incentives are routinely explored that influence organizational behavior.

ZScaler Research - Michael Sutton, Jeff Forristal, etc.Heavy on the technical details and very timely in regards to Web security related issues. Cross-Site Scripting, Browser Security, Worms, etc etc. What more did you want!?

HolisticInfoSec.org - Russ McReeThe best way I can describe Russ is he keeps the infosec industry honest, and that includes vendors AND website owners. While exceptionally fair minded, he's not at all shy to call BS when he sees it.

The Spanner - Gareth HeyesDeeply technical, browser vendors beware of Gareth Heyes the master of HTML/JS code obfuscation. Ecodings, strange "features", and XSS are just some of the topics covered in stelar detail.

@Andrew, if the code was your own (and not the ASPs), I'd say you unfortunately are left holding the bag with regards to costs and responsibility. That is unless they've taken on some contractual liability, but doubtful. Also the ASP likely could not have done much about such an attack against vulnerable custom code with traditional security technology.

Some ASPs are now offering "security" as a differentiating factor and installing Web Application Firewalls. Check out: http://www.firehost.com/

Unfortunately SQL injection is due to a lack of sufficient input validation and sanitization within your web applications code.

Ultimately the fault lies with yourselves/your developers - rather than your webhost who may/may not be responsible for infrastructure level issues (for example an out of date webserver that contains vulnerabilities).

In terms of preventing SQL injection, the most effective way is to use prepared statements (also known as parameterized queries). Also, don't forget to have frequent penetration tests to find issues before someone else exploits them.

Realise this comment was made some time ago, but hopefully this will be useful to other readers too.

About Me

Jeremiah Grossman's career spans nearly 20 years and has lived a literal lifetime in computer security to become one of the industry's biggest names. He has received a number of industry awards, been publicly thanked by Microsoft, Mozilla, Google, Facebook, and many others for his security research. Jeremiah has written hundreds of articles and white papers. As an industry veteran, he has been featured in hundreds of media outlets around the world. Jeremiah has been a guest speaker on six continents at hundreds of events including many top universities. All of this was after Jeremiah served as an information security officer at Yahoo!